mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-23 23:58:31 -05:00
SECURITY: Don't allow redirects with periods in case you don't control
other tlds on the same domain.
This commit is contained in:
parent
59cc2476a1
commit
316f1bea04
2 changed files with 10 additions and 1 deletions
|
@ -65,7 +65,9 @@ class StaticController < ApplicationController
|
|||
begin
|
||||
forum_uri = URI(Discourse.base_url)
|
||||
uri = URI(params[:redirect])
|
||||
if uri.path.present? && (uri.host.blank? || uri.host == forum_uri.host)
|
||||
if uri.path.present? &&
|
||||
(uri.host.blank? || uri.host == forum_uri.host) &&
|
||||
uri.path !~ /\./
|
||||
destination = uri.path
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
|
|
|
@ -89,6 +89,13 @@ describe StaticController do
|
|||
end
|
||||
end
|
||||
|
||||
context 'with a period to force a new host' do
|
||||
it 'redirects to the root path' do
|
||||
xhr :post, :enter, redirect: ".org/foo"
|
||||
expect(response).to redirect_to '/'
|
||||
end
|
||||
end
|
||||
|
||||
context 'with a full url to someone else' do
|
||||
it 'redirects to the root path' do
|
||||
xhr :post, :enter, redirect: "http://eviltrout.com/foo"
|
||||
|
|
Loading…
Reference in a new issue